This topic summarizes the firewall rules required for migration with vMotion, both in your on-premises and cloud data centers.
VMC on AWS Firewall Rules for vMotion
Ensure that the following firewall rule are configured in the VMC Console.
|Provide access to vCenter Server from the on premises.
Use for general vSphere Client access as well as for monitoring vCenter Server
|remote (on-premises) vSphere Client IP address||vCenter||HTTPS|
|Allow outbound vCenter Server access to on-premises vCenter Server.||vCenter||remote (on-premises) vCenter Server IP address||Any (All Traffic)|
|Allow SSO vCenter Server||remote (on-premises) Platform Services Controller IP address||vCenter||SSO (TCP 7444)|
|ESXi NFC traffic||remote (on-premises) ESXi VMkernel networks used for NFC.||ESXi||Provisioning (TCP 902)|
|Allow outbound ESXi access to on-premises .||ESXi||remote (on-premises) ESXi management VMkernel networks||Any (All Traffic)|
|Allow vMotion traffic.||remote (on-premises) ESXi vMotion VMkernel networks||ESXi||vMotion (TCP 8000)|
On-Premises Firewall Rules for vMotion
Ensure that the following firewall rules are configured in your on-premises firewall.
|On-premises to vCenter Server||Allow||remote (on-premises) vSphere Client subnet||VMware Cloud on AWS vCenter Server IP address||HTTPS||443|
|Remote to ESXi provisioning||Allow||remote (on-premises) subnet||TCP 902||902|
|Cloud SDDC to on-premises vCenter ServerAllow||Allow||CIDR block for cloud SDDC management network||On-premises vCenter Server, PSC, Active Directory subnet||HTTPS||443|
|Cloud SDDC toESXi Remote Console||Allow||CIDR block for cloud SDDC management network||VMware Cloud on AWS vCenter Server IP address|
|Cloud SDDC to Remote LDAP||Allow||CIDR block for cloud SDDC management network||Remote LDAP Server||TCP||389, 636|
|Cloud SDDC to ESXi vMotion||Allow||CIDR block for cloud SDDC management network||Remote ESXi host subnet||TCP||8000|